GDPR – Data best-practice is no longer a luxury

Unless you’ve been living under a rock it’s unlikely you won’t have heard about GDPR – and if you haven’t, now is certainly the time to get educated.

Who does GDPR apply to? If you store customer data or use email marketing systems, GDPR applies to you and is important to you and your business.

The General Data Protection Regulation (GDPR) is an EU-wide legal framework setting the guidelines for collecting and processing the personal information of an individual. Each nation within the EU will have its own national supervisor; in the United Kingdom this supervisor is the Information Commissioner’s Office (ICO) who will be defining the legal requirements and enforcing GDPR.

With the recent leaks, breaches and abuses of data that have occurred and appeared in the press, the more we wise up to the value of our data and why this data needs protecting. GDPR is a by-product of this awakening to data importance. As businesses, it is our responsibility to secure and respect any individual’s information we possess and their data protection choices. Yet it is every member of your team who will play an equal role in ensuring you become and remain GDPR compliant. The chain is only as strong as the weakest link, and with GDPR this applies to both your team’s data (bad) habits and behaviour and the technology and systems you use.

When do you need to be GDPR ready?

GDPR comes into effect officially on the 25th May 2018. Despite this deadline, it’s worth noting that although there is an outline and framework in place found in the GDPR documentation, we can presently only ‘guesstimate’ the exact legislation that will come into effect. It is the responsibility of the ICO to publish legislation, and until this happens, it is impossible to enforce a rule that does not currently exist.

From all the conversations we’ve had with people, there is a recurring trend we’ve spotted: only business owners and decision makers care about GDPR. Yet, it’s not often the decision makers or business owners who will be hands-on working day-to-day with this data. You can be a responsible business owner and prepare thoroughly for GDPR before the May deadline, but ultimately it will be your team that dictates your GDPR compliance. Salespeople, marketers, accountants, support staff, interns, frankly any team member with access to customer data need to be educated on the importance of GDPR and the implications it may have on their workflows.

If you follow industry best-practice then GDPR will not be much of a change for you. If you’re not quite there, then these changes will require some work, but will simultaneously give you the opportunity to make some interesting discoveries about your business and your customers.

It’s unrealistic to think your team will become GDPR experts, but getting an elementary understanding of Article 5 would be wise to keep them and your business above board and in line with GDPR requirements. Article 5 sets out the key data protection principles and responsibilities for organisations. Here is a quick summary with a list of actions:

Requirement

Description

Action

Double Opt-In

No longer optional

Create an automated opt-in workflow or enable opt-in with your ESP

Consent

Requires one of 6 legal bases for processing

See the next section

Transparency

You now need to openly and clearly state your reason for collecting data

Add a small blurb to your sign up forms describing your intended use

Relevant data only

Don’t be greedy, you should only collect the data you need, which should make your team more efficient spending less time sifting through useless irrelevant data and more time being productive

Get into a habit of planning your data requirements. Only collect the data you really need

Keep your data up-to-date

This should already be a priority, however, you now legally have to keep data up-to-date with periodic audits.

Periodically request your data subjects to update their information and contact details. Quarantine emails and accounts that bounce or are no longer active

Delete data that is no longer required or active

Once you have used data and it is no longer active, it is your responsibility to delete this data. There is no set time-frame here so it is important to use your best judgement, many organisations have opted for 9 months.

Create an automated or manual process to remove and destroy inactive and out-of-date data

Keep your data secure

Random excel documents, unpassworded and kept on a shared computer spells trouble. The requirement to maintain a single source of truth and up-to-date record of your customer data means CRM and integrated systems are no longer a luxuries.

Implement a CRM for your business with an account for each team member. Introduce access control and permissions to ensure that the right data remains with the right people

The following key points require a little more explanation:

Lawful and legitimate collection and processing of data.

Let your team know that they should only be collecting relevant and lawful data. That means that no more bought lists and it means being realistic about what data you really need. The ICO has a strict list of what it defines as acceptable grounds for collecting and processing data. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/#ib3

If your current workflow requires bought lists, then, unfortunately, your business development workflow will need to change. There are key differences between B2B communication and B2C communication. In terms of allowable communications in a UK context, GDPR cannot be considered in isolation from PECR. There is some overlap which will be resolved in time.

In both cases, there is a distinction between B2B and B2C communications. Generally speaking, B2C communications need explicit consent, whilst B2B communications can instead rely upon “legitimate interest”. In simple terms you can cold call business, but not individuals. There are some grey areas such as do sole traders count as individuals or businesses, and is a personally identifiable corporate email address individual or business? Common sense suggests both are business communications, but the strict letter of GDPR could certainly be interpreted to take these as individual communications. Ultimately this will be decided in the UK by the ICO and by the other relevant national supervisory bodies throughout Europe.

Gaining consent

This is not as easy as it might sound, and there needs to be a clearly recorded history of the individual’s consent. Proving consent is essential and the ICO offers the following guideline:

Positive opt-in – meaning the individual has to tick a box to be opted in, not tick a box to be opted out. This will become the standard.

No pre-ticked boxes – this has to be an active process by the individual, they need to make the effort to have opted in.

Clear and plain language – no more double negatives or swings and roundabouts to decipher whether you’re opting in or out.

A clear and concise message about why you are collecting this data – What do you need it for? ‘We need your date of birth so we can send you a free gift on your birthday’.

Keeping a record of when and how you got consent from someone – Everything is lynched on you being able to prove that this person did indeed consent to share data with you. Therefore you need to keep this part safe.

Regularly review consent to check that the relationship, the processing and the purposes have not changed – Your business may have changed somewhat, and this individual may no longer be interested in the services or messages you are sending. Do not see these as losses, for those who stay are those most engaged, giving you a better quality audience.

Make it easy for individuals to withdraw their consent at any time, and publicise how to do so – Unsubscribe links are essential here, and make it a one-click unsubscribe, the individual should not have to jump through hoops to unsubscribe.

Data expiry date – Clean up when you are done.

Like in your kitchen at home, once you’ve finished dinner, you wash the dishes, clean the surfaces, and throw away the waste and packaging. GDPR requires you take the same approach to data. Once you no longer have a requirement for data, it should be systematically deleted when no longer active or relevant. This will ultimately help you maintain a clean database of relevant contacts. In an ideal world, you will have an automated system to manage this process for you.

Request for information

In the UK, we have had the Freedom of Information Act 2000 which is almost identical to the outline of data subject requests set out in GDPR. Under GDPR individuals, like under the Freedom of Information Act, will be able to request a copy of the data you store on them. The difference is that GDPR’s framework sets out the time frame and reasonable cost parameters. Implementing a system to facilitate these requests as simple as possible will enable your team to respond as quickly as possible.

Summary

There is no single blog article online that will be able to help you with your GDPR woes or questions. It is a beast unto itself. Despite its enormity, it’s not all as bad as it might seem. The ICO is not looking to make any examples of anyone fast. As we have seen in the recent press, there are many more abuses of data that the ICO will be dealing with for the foreseeable future for them to target and attack smaller organisations. Elizabeth Denham – the Commissioner of the ICO has recently stated that:

‘it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.’ – ‘It’s evolution, not revolution’

How can SalesSeek help?

Integrated Out-Of-The-Box SalesSeek is a powerful customer data platform designed for effortless integration of all the systems used by your business. From bulk email to accounting, SalesSeek has a fully Open API giving endless integration possibilities, and a system designed for full team and departmental collaboration.

Grouping for Data Privacy SalesSeek data groups enable specific sets of information to be independently permissioned. Give access to the right information to only the right people and maintain a single source of true data.

Field level data source Knowing where a record and specific element has come from is important. It gives you the ability to audit certain information acquired from one source, while not having to audit or delete the record entirely.

One-click data portability SalesSeek will be introducing functionality that not only supports a ‘one-click’ download of a person’s data, but also the ability to tag ‘private notes’ data that should be excluded from that export.